So I am working through a ssl decrypt issue with PA support. I am being told that because the stream is being segmented - so not coming as 1500mtu packets. the PA can't work out what the stream is.
The implication is that app-id doesn't work properly unless you have full 1500mtu packets.
I thnk my SE is agreeing - not 100% sure.
I am a bit lost on this, cause I wouldn't have though segmentaiton would cause a problem expect for if there was a timeout
segmentation should only become an issue when there is such a large volume that the firewall is unable to properly reassemble the packets in a timely manner
you cold try to adjust the TCP MSS on the interface which could help prevent fragmentation, see if that solves the issue
well this is on a ssl hand shake the initial setup.
I go openssl s_client connect <ip>:443
that fails. I have been working with support for a while now. and they are saying cause their might be some segmenation happening that could affect the firewall interpreting the ssl handshake as some of the packets are not being processed !
I was rather suprised.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!